Privacy Policy
Last Updated: June 25, 2026
Effective Date: June 25, 2026
This Privacy Policy describes how Pholio Studio, Inc. collects, uses, shares, and protects your personal data when you use the Pholio platform. Please read it carefully. By using Pholio, you acknowledge that you have read and understood this Policy.
1. Who We Are and How to Contact Us
Pholio Studio, Inc. ("Pholio," "we," "our," or "us") operates the platform accessible at www.pholio.studio and app.pholio.studio (collectively, the "Platform"). We are the data controller responsible for your personal data.
For all privacy-related questions, requests, or concerns, please contact our Privacy Team at:
Email: privacy@pholio.studio
Mailing address: Pholio Studio, Inc., [Your Address], [City, State, ZIP], United States
If you are located in the European Economic Area (EEA) or the United Kingdom, you also have the right to lodge a complaint with your local supervisory authority. We encourage you to contact us first so we can address your concern directly.
2. Scope of This Policy
This Privacy Policy applies to all personal data we collect when you: (a) visit our marketing website at www.pholio.studio; (b) create and use an account on our application at app.pholio.studio; (c) interact with us by email, social media, or any other channel; or (d) apply to or manage talent as an agency partner.
This Policy does not apply to third-party websites, services, or applications that may be linked from our Platform. We encourage you to review the privacy policies of any third parties before providing them with personal data.
If you are a talent user ("Talent"), this Policy explains how we handle your portfolio data, images, professional profile, and the casting analysis we generate to help agencies discover you. If you are an agency user ("Agency"), this Policy explains how we handle your roster management, team accounts, and business data. Some sections apply to both user types; where distinctions exist, we note them clearly.
3. Data We Collect and Why
We collect personal data only when necessary for legitimate business purposes. Below is a full account of the categories of data we collect, the source of that data, and the purpose for which we use it.
3a. Account and Identity Data
When you register for Pholio, we collect your full name, email address, password (stored as a hashed credential via Firebase Authentication), role (Talent or Agency), email verification status, and account timestamps. If you choose to sign in with a third-party provider, we receive limited identity data from that provider: with Google sign-in, your Google account email and basic profile; with Instagram sign-in, your Instagram user ID, username (handle), account type, and profile picture URL. We use this data to create and authenticate your account, communicate with you about your account, and maintain platform security. Legal basis (GDPR): Performance of a contract; Legitimate interests (fraud prevention and security).
3b. Profile and Portfolio Data (Talent)
Talent users voluntarily provide professional profile information, which may include display name, pronouns, biography, date of birth, location (city and country), languages, training and experience level, social media handles (such as Instagram and OnlyFans), modeling categories and booking lanes, comp card layout and styling preferences, and physical attributes such as height, weight, bust, waist, hip and shoe measurements, eye color, hair color, body type, and ethnicity or heritage. Some of these fields — in particular ethnicity/heritage and certain physical attributes — may constitute special category data. They are optional and provided at your discretion. This data is used to build your portfolio, generate PDF comp cards, and help agencies discover and evaluate you. Legal basis (GDPR): Performance of a contract; Consent (for special category data).
3c. Images and Media
Talent users upload photographs and other media to their portfolios. Uploaded files are processed (resized, converted, and thumbnailed) and stored with our object-storage provider, Cloudflare R2, and served via its content delivery network through your portfolio URL, subject to your visibility settings. We retain original, processed, and thumbnail versions of your images. We use uploaded images to display your portfolio, generate comp card PDFs, and produce the automated photo analysis described in Section 3g. Agency users may upload a workspace logo and related business imagery. Legal basis (GDPR): Performance of a contract; Consent (where images are processed for casting analysis).
3d. Agency and Business Data
Agency users provide business name, agency description, website URL, logo, social links, and contact details. Agencies may invite team members, who are assigned roles and permissions (role-based access control). Agencies may also create casting boards and booking lanes, and store internal notes, tags, application statuses, interview schedules, reminder entries, and commission records related to talent they manage. This data is used to operate agency dashboards, manage talent rosters, and facilitate applications between talent and agencies. Legal basis (GDPR): Performance of a contract; Legitimate interests.
3e. Application and Communication Data
When a Talent applies to an Agency, we record the application submission date, application status (such as pending, reviewed, accepted, declined, withdrawn, or kept on file), and any messages exchanged within the platform. We generate email notifications for certain events (such as new messages and application updates) and may include secure reply tokens so you can respond to a message directly from your email. We also maintain in-app notifications. This data is visible to the relevant Talent and Agency. Legal basis (GDPR): Performance of a contract.
3f. Payment and Subscription Data
We use Stripe, Inc. as our payment processor for all subscription billing and transaction management. When you subscribe to a paid plan, Stripe collects and stores your payment card details, billing address, and transaction history directly on their PCI-DSS-compliant infrastructure. We do not store full card numbers or CVV codes on our servers. We receive from Stripe only a tokenized reference, subscription status, plan tier, trial status, and billing cycle dates. Stripe's Privacy Policy governs their handling of your payment data: stripe.com/privacy. Legal basis (GDPR): Performance of a contract; Legal obligation (tax and accounting records).
3g. AI-Assisted and Derived Data
To operate our casting and discovery features, we process portfolio images and profile text using third-party AI services. Uploaded headshots are submitted to Groq, Inc.'s vision API, which returns a structured casting assessment that may include estimated physical measurements and attributes such as skin tone, bone structure, feature contrast, look type, photo quality, market signals, booking strengths, and indicative fit scores. We also send profile text and these AI-generated descriptions (not the images themselves) to OpenAI to create vector embeddings that power agency semantic search ("Discover"). This analysis is performed automatically as part of profile processing and is integral to providing the Platform; it is advisory and supports — but does not replace — human casting decisions. Where this processing derives information that may relate to special categories (such as appearance or ethnicity), we rely on your explicit consent obtained when you submit such data. We do not permit Groq or OpenAI to use your images or data to train their models. Legal basis (GDPR): Performance of a contract; Legitimate interests; Consent (for special category inferences).
3h. Technical, Device, and Location Data
When you access the Platform, we automatically collect your IP address, browser type and version, operating system, device type, referring URL, and page interaction data (clicks, scroll depth, time on page). We use a third-party geolocation provider (ipapi.co) to derive approximate location (country, region, city, timezone, and coordinates) from IP addresses. We use this data to maintain platform security, debug errors, prevent abuse, improve performance, populate visitor analytics, and — for Talent — to cross-reference IP-derived location against the location you report on your profile as a signal of authenticity. Legal basis (GDPR): Legitimate interests.
3i. Analytics and Usage Data
We collect aggregated usage statistics such as portfolio page views, unique visitors, geographic distribution of visitors, and application conversion rates. Talent users can view their own analytics in their dashboard. We use this data to help Talent understand their portfolio performance and to improve the Platform. Legal basis (GDPR): Legitimate interests; Performance of a contract.
3j. Session and Cookie Data
We use server-side session cookies to maintain your authenticated state across visits. Session identifiers are stored in our database and associated with your account. We also use strictly necessary cookies required for security and authentication. Within your account settings you can adjust certain cookie and notification preferences (for example, analytics and marketing). We do not use third-party advertising cookies or behavioral tracking cookies. See Section 10 (Cookies) for full details. Legal basis (GDPR): Legitimate interests; Legal obligation.
3k. Communications Data
If you contact us by email or through support channels, we retain the content of your communications and your contact details in order to resolve your inquiry and maintain a record for follow-up. Legal basis (GDPR): Legitimate interests.
3l. Minor and Guardian Data
Where a Talent's date of birth indicates they are under 18, we record additional compliance data, including the timestamp of verified parent or guardian consent and, where applicable, whether a work permit is on file. Until guardian consent is recorded, we restrict the collection of sensitive measurements and prevent public exposure of the minor's portfolio. See Section 11 (Children's Privacy). Legal basis (GDPR): Legal obligation; Consent.
4. Legal Bases for Processing (GDPR)
If you are located in the EEA or UK, we rely on the following legal bases under the General Data Protection Regulation (GDPR) and UK GDPR:
Performance of a Contract (Art. 6(1)(b)): Processing necessary to provide you with the Platform and its features — account creation, portfolio management, automated casting analysis and discovery, agency matching, and subscription management.
Legitimate Interests (Art. 6(1)(f)): Processing necessary for our legitimate business interests, including platform security, fraud prevention, location verification, product improvement, and analytics — where those interests are not overridden by your rights.
Consent (Art. 6(1)(a)): Processing of special category profile data and any optional communications such as marketing emails. You may withdraw consent at any time without affecting the lawfulness of prior processing.
Legal Obligation (Art. 6(1)(c)): Processing required for compliance with applicable law, such as financial recordkeeping for tax purposes and verification of parental or guardian consent for minors.
Where we process special categories of data — such as ethnicity/heritage, physical measurements, or appearance attributes derived from photo analysis, which may indirectly reveal racial or ethnic origin or health-related information — we rely on your explicit consent (Art. 9(2)(a) GDPR). You provide such data voluntarily as part of your professional profile; it is not mandatory.
5. How We Share Your Data
We do not sell your personal data. We share personal data only in the circumstances described below.
5a. With Other Platform Users
Public portfolio pages are visible to anyone who accesses your portfolio URL, subject to your visibility settings and, for minors, to guardian consent. Talent profiles — including portfolio images and the casting attributes we derive (see Section 3g) — are made discoverable to Agency users through our semantic search ("Discover") feature. Agency users who receive an application from a Talent will see that Talent's profile data, portfolio images, and contact details as part of the application workflow. Agencies and their authorized team members manage this data as independent controllers for their own business purposes.
5b. With Third-Party Service Providers
We share data with vendors who process data on our behalf under data processing agreements:
Firebase / Google LLC (Authentication and Identity): Manages login, credential verification, and Google sign-in. Privacy policy: firebase.google.com/support/privacy
Meta Platforms / Instagram (Optional Sign-In): Where you choose Instagram sign-in, we receive your Instagram user ID, handle, account type, and profile picture.
Stripe, Inc. (Payment Processing): Processes subscription payments and billing. Privacy policy: stripe.com/privacy
Groq, Inc. (AI Vision and Casting Analysis): Processes portfolio images to generate casting assessments.
OpenAI (Text Embeddings): Processes profile text and AI-generated descriptions (not images) to power semantic search.
Cloudflare, Inc. (Object Storage and CDN): Stores and serves portfolio images and media via Cloudflare R2.
Neon (Database Hosting): Hosts the PostgreSQL database in production environments. Data is encrypted at rest and in transit.
Netlify, Inc. (Hosting and Functions): Serves the Platform and executes serverless API functions.
ipapi.co (IP Geolocation): Receives IP addresses to return approximate location data for security, analytics, and location verification.
Email Service Provider (Transactional Email): Delivers account, application, and notification emails. [Provider to be confirmed and named once the production email service is finalized.]
5c. For Legal Compliance and Safety
We may disclose personal data if required by law, court order, subpoena, or regulatory authority, or if we believe disclosure is necessary to protect the rights, property, or safety of Pholio, our users, or the public.
5d. Business Transfers
If Pholio undergoes a merger, acquisition, restructuring, or sale of assets, personal data may be transferred as part of that transaction. We will notify affected users via email or prominent notice on the Platform at least 30 days before data becomes subject to a materially different privacy policy.
5e. Aggregated and De-identified Data
We may share aggregated, anonymized, or de-identified data (from which you cannot reasonably be identified) with third parties for research, analytics, or product improvement purposes.
6. International Data Transfers
Pholio is based in the United States. If you access the Platform from outside the United States, your data may be transferred to, stored in, and processed in the United States or other countries where our service providers operate.
For users in the EEA, UK, or Switzerland, we implement appropriate safeguards for international transfers in accordance with GDPR Chapter V, including Standard Contractual Clauses (SCCs) approved by the European Commission where applicable. A copy of our transfer mechanisms is available upon request at privacy@pholio.studio.
7. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce agreements.
Account Data: Retained for the duration of your account and for up to 3 years after account deletion, unless a longer retention period is required by law.
Portfolio Images and Media: Stored on Cloudflare R2 and deleted within 30 days of account deletion or upon your request, except where we are required to retain them for legal or dispute-resolution purposes.
AI-Derived Data and Search Embeddings: Casting assessments and the embeddings used for discovery are retained while your profile is active and re-generated when your profile changes; they are deleted alongside your profile data on account deletion.
Payment Records: Retained for 7 years in accordance with tax and financial recordkeeping obligations.
Application Records: Retained for 2 years after the conclusion of an application process.
Analytics Data: Aggregated analytics may be retained indefinitely as they do not identify individuals. Raw logs containing IP addresses are purged after 90 days.
Session Data: Active sessions expire after 30 days of inactivity. Expired session records are purged monthly.
Support Communications: Retained for 3 years from last contact to allow follow-up and resolve recurring issues.
You may request early deletion of your data at any time (see Section 8, Your Rights).
8. Data Security
We implement technical and organizational security measures proportionate to the sensitivity of the data we hold. These measures include:
Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS (HTTPS).
Encryption at rest: Database records are encrypted at rest on Neon's managed PostgreSQL infrastructure, and media is stored on Cloudflare R2.
Authentication security: Passwords are never stored in plaintext. We use Firebase Authentication, which applies secure hashing and credential storage.
Access controls: Only authorized personnel with a legitimate business need have access to personal data. Agency team access is governed by role-based permissions, and access is logged.
Session integrity: Sessions use cryptographically signed, server-stored tokens. Session IDs are rotated on authentication events.
Third-party security: Our payment data is handled exclusively by Stripe, a PCI-DSS Level 1 certified payment processor.
Despite these measures, no system is completely immune to security risks. If you suspect unauthorized access to your account, please contact us immediately at privacy@pholio.studio. In the event of a data breach that affects your rights and freedoms, we will notify you and relevant authorities in accordance with applicable law (within 72 hours for GDPR-covered incidents).
9. Your Privacy Rights
Depending on where you reside, you have rights regarding your personal data. We honor these rights for all users regardless of location, to the extent technically feasible. Many of these can be exercised directly in your account settings, which include data export and erasure requests, account deactivation, portfolio visibility controls, the ability to block specific agencies, and contact, cookie, and notification preferences.
Right of Access: You may request a copy of the personal data we hold about you, along with information about how and why we process it.
Right to Rectification: You may request that we correct inaccurate or incomplete personal data. Most profile data can be updated directly in your account settings.
Right to Erasure ("Right to Be Forgotten"): You may request deletion of your personal data. We will delete your data subject to applicable retention obligations (e.g., financial records we must keep by law).
Right to Restriction: You may request that we limit how we process your data, for example while a dispute is being resolved.
Right to Data Portability: You may request an export of your personal data in a structured, commonly used, machine-readable format (JSON or CSV).
Right to Object: You may object to processing based on legitimate interests, including profiling. We will cease such processing unless we can demonstrate compelling legitimate grounds.
Right to Withdraw Consent: Where processing is based on consent (e.g., special category profile data, marketing emails), you may withdraw consent at any time without penalty.
Right to Non-Discrimination (CCPA): California residents have the right not to be discriminated against for exercising their privacy rights. We will not deny services, charge different prices, or provide a lower quality of service based on the exercise of these rights.
Right to Opt-Out of Sale: We do not sell personal data as defined under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). No opt-out mechanism is required, but if our practices change, we will update this Policy and provide an opt-out link.
To exercise any of these rights, submit a request to privacy@pholio.studio with the subject line "Privacy Rights Request." We will verify your identity before processing the request and respond within 30 days (extendable by an additional 60 days for complex requests, with notice). We do not charge a fee for reasonable requests.
10. Cookies and Tracking Technologies
We use cookies and similar technologies to operate the Platform. The table below describes the cookies we set.
Strictly Necessary Cookies: These are required for the Platform to function and cannot be disabled. They include session authentication cookies (to keep you logged in), CSRF protection tokens, and security-related identifiers. Legal basis: Legitimate interests / Legal obligation.
Preference Cookies: These store your preferences such as display settings and onboarding state, so you do not need to reconfigure them on each visit. Legal basis: Legitimate interests.
Analytics Cookies (First-Party): We use server-side analytics to track aggregated page views and feature usage. We do not use Google Analytics, Facebook Pixel, or other third-party tracking scripts on the authenticated application. Legal basis: Legitimate interests.
No Advertising Cookies: We do not use cookies for advertising, retargeting, or cross-site behavioral tracking.
Cookie Controls: Authenticated users can manage analytics and marketing preferences in their account settings. You can also control cookies through your browser settings. Disabling strictly necessary cookies will prevent you from logging in or using core Platform features. Disabling preference cookies will cause your preferences to reset on each visit.
11. Children's Privacy
Pholio supports professional talent who may be minors (for example, child models), but accounts for minors must be created and managed by a parent or legal guardian. Where a Talent's date of birth indicates they are under 18, we treat the profile as a minor profile and apply additional safeguards: we require a recorded parent or guardian consent before sensitive measurement data is collected or the portfolio is made publicly visible, and we may record whether a work permit is on file.
General-audience accounts are not directed to children below the minimum age required for data processing in their jurisdiction (16 in much of the EEA, or 13 in the United States where COPPA applies). We do not knowingly collect personal data from such children without verifiable parental or guardian consent.
If you are a parent or guardian and believe your child has created a Pholio account or provided us with personal data without your consent, please contact us immediately at privacy@pholio.studio. We will investigate and, if confirmed, delete the account and all associated data promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Platform features. When we make material changes, we will:
(a) Update the "Last Updated" date at the top of this Policy;
(b) Notify registered users via email at least 14 days before the changes take effect; and
(c) Display a prominent notice on the Platform for at least 30 days.
For non-material changes (such as grammatical corrections or clarifications that do not alter the substance of the Policy), we will update the date and publish the revised Policy without separate notification. Your continued use of the Platform after the effective date of a revised Policy constitutes your acceptance of the updated terms.
We maintain a version history of this Policy, which is available upon request at privacy@pholio.studio.
13. California Privacy Rights (CCPA / CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you the following rights in addition to those described in Section 8:
Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which it was collected, the business purpose for collection, and the categories of third parties with whom it was shared.
Right to Delete: You have the right to request deletion of personal information we have collected from you, subject to certain exceptions (e.g., completing a transaction, security purposes, legal compliance).
Right to Correct: You have the right to request correction of inaccurate personal information we maintain about you.
Right to Opt-Out of Sale or Sharing: We do not sell personal information or share it for cross-context behavioral advertising as defined under the CCPA/CPRA.
Right to Limit Use of Sensitive Personal Information: We process sensitive personal information (such as physical measurements, ethnicity/heritage, and appearance attributes derived from photo analysis) to provide and operate the casting, portfolio, and discovery services you request. We do not use sensitive personal information to infer characteristics for purposes unrelated to delivering these services, and we do not sell or share it.
Shine the Light: California Civil Code Section 1798.83 permits California residents to request information about our disclosure of personal data to third parties for direct marketing purposes. We do not disclose personal data to third parties for their own direct marketing purposes.
To submit a verifiable California consumer request, email privacy@pholio.studio with "California Privacy Rights Request" in the subject line. We will acknowledge receipt within 10 business days and respond substantively within 45 days (extendable by an additional 45 days with notice).
14. EEA and UK Residents — Additional Information
If you are located in the European Economic Area or the United Kingdom, the following additional information applies:
Data Controller: Pholio Studio, Inc. is the data controller for personal data processed through the Platform.
EU/UK Representative: [If applicable — If you do not have an EU/UK establishment, you should appoint an Art. 27 representative. Placeholder: Our EU/UK representative can be contacted at privacy@pholio.studio pending formal appointment.]
Supervisory Authority Complaints: You have the right to lodge a complaint with the supervisory authority in your EU member state or the UK Information Commissioner's Office (ICO) if you believe we have processed your data unlawfully. However, we would appreciate the opportunity to address your concern directly first.
Automated Processing: We use automated photo and profile analysis to generate casting assessments and to rank and surface talent in agency search. This processing supports human decision-making by agencies and Pholio; we do not make solely automated decisions that produce legal or similarly significant effects on you. You may request human review of, or object to, this processing by contacting us.
Legitimate Interests Assessment: Where we rely on legitimate interests as a legal basis, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms. Details of these assessments are available upon request.